Security News

Amazon Web Services has resolved a cross-tenant vulnerability in its platform that could be weaponized by an attacker to gain unauthorized access to resources."This attack abuses the AppSync service to assume roles in other AWS accounts, which allows an attacker to pivot into a victim organization and access resources in those accounts," Datadog researcher Nick Frichette said in a report published last week.

Hundreds of databases on Amazon Relational Database Service are exposing personal identifiable information, new findings from Mitiga, a cloud incident response company, show. Amazon RDS is a web service that makes it possible to set up relational databases in the Amazon Web Services cloud.

Apple fixes exploited zero-days: Update your devices!Apple has released security updates for iOS, iPadOS, and macOS Monterey to fix CVE-2022-32894 and CVE-2022-32893, two code execution vulnerabilities exploited by attackers in the wild. 1,900 Signal users exposed following Twilio breachThe attacker behind the recent Twilio data breach may have accessed phone numbers and SMS registration codes for 1,900 users of the popular secure messaging app Signal.

Amazon acquired the doorbell maker for about $1 billion in 2018. Application security firm Checkmarx explained it identified a cross-site scripting flaw that it said could be weaponized as part of an attack chain to trick victims into installing a malicious app.

How phishing attacks are exploiting Amazon Web Services. Cybercriminals prefer to use legitimate sites and services in their phishing scams, not just to trick unsuspecting victims but to sneak past security scanners that would otherwise block traffic from a suspicious site.

A vulnerability in the Android version of the Ring app, which is used to remotely manage Amazon Ring outdoor and indoor surveillance cameras, could have been exploited by attackers to extract users' personal data and device's data, including geolocation, address, and recordings. The vulnerability was discovered by Checkmarx researchers, who went one step further and demonstrated how an attacker could later analyze huge numbers of recordings with the help of computer vision technology, to extract additional sensitive information and material.

As the Ring Android app has over 10 million downloads and is used by people worldwide, the ability to access a customer's saved camera recordings could have allowed a wide range of malicious behavior, ranging from extortion to data theft. When analyzing the Ring Android app, Checkmarx found that the app was exposing an 'activity' that could be launched by any other app installed on the Android device.

Amazon is suing over 10,000 administrators of Facebook groups that offer to post fake reviews on the online souk's website in exchange for products and money. Group admins charged $10 per fake review, according to CNBC. Reviewers were also lured with promises of free products in return for sham assessments of items such as car stereos or camera tripods.

Amazon-owned home security company Ring turned over footage to US law enforcement without permission from the devices' owners 11 times so far in 2022, according to details unveiled by Massachusetts senator Ed Markey. Despite Amazon policy that police cannot view recordings without owners' explicit permission, that policy does not apply to subpoenas and emergency requests - which is exactly what Amazon said happened in these 11 cases, although it seems the judge of what constitutes emergency request is left up to Ring itself.

AWS fixed three authentication bugs present in one line of code in its IAM Authenticator for Kubernetes, used by the cloud giant's popular managed Kubernetes service Amazon EKS, that could allow an attacker to escalate privileges within a Kubernetes cluster. Amazon updated all EKS clusters worldwide as of June 28, and the new version of the AWS IAM Authenticator for Kubernetes fixes the flaw.